The alert is setup correctly, but, that also assumes the Risk name contains "ransom". To be honest Symantec risk names vary for ransomware so you may need to look through they and pick out which ones you need. I know there are ones that contain crytpolocker as well as others. Multiple alerts will be needed.